Experts Insight On Hotel Booking Firm Leaks Info From Millions Of Guests

On Friday, research was published that a hotel reservation platform has been exposing highly sensitive data from millions of hotel guests worldwide, dating as far back as 2013 and including credit card details for 100,000s of people. Based in Madrid and Barcelona, Prestige Software sells a channel management platform called Cloud Hospitality to hotels that automates their availability on online booking websites like Expedia and Booking.com. The company was reportedly storing years of credit card data from hotel guests and travel agents without any protection in place, putting millions of people at risk of fraud and online attacks.

Experts Comments

November 11, 2020
Jake Moore
Cybersecurity Specialist
ESET
This is yet another Amazon S3 bucket incident, which proves again that site owners are clearly not aware of the scale of this vulnerability. Time after time there are incidents where data is lost or compromised, and when the data is not even encrypted we are seeing potentially catastrophic outcomes. S3 is one of the oldest services in AWS and the good news is that it always defaults to secure and private. However, the bad news is that AWS allows people to use it and notoriously people weaken.....Read More
This is yet another Amazon S3 bucket incident, which proves again that site owners are clearly not aware of the scale of this vulnerability. Time after time there are incidents where data is lost or compromised, and when the data is not even encrypted we are seeing potentially catastrophic outcomes. S3 is one of the oldest services in AWS and the good news is that it always defaults to secure and private. However, the bad news is that AWS allows people to use it and notoriously people weaken or even bypass security - sometimes without even being aware. Cloud misconfiguration can easily occur, so it needs to be double-checked by the people in charge of it. If you are concerned, log into the console and click on S3 and look for the ‘Public’ tag to see if any data is vulnerable to theft. AWS has taken measures to better educate its customers about proper S3 bucket configurations but the best protection is a two-way street where users take on some of the responsibility themselves too.  Read Less
November 10, 2020
Anurag Kahol
CTO
Bitglass
Every year, hotel and booking platforms collect sensitive consumer data and store the personally identifiable information of millions of guests. To mitigate the risks of future data breaches and protect sensitive data, hospitality organisations and other companies need to have full visibility and control over their data. By leveraging multifaceted solutions that enforce real-time access control, detect misconfigurations through cloud security posture management, encrypt sensitive data at.....Read More
Every year, hotel and booking platforms collect sensitive consumer data and store the personally identifiable information of millions of guests. To mitigate the risks of future data breaches and protect sensitive data, hospitality organisations and other companies need to have full visibility and control over their data. By leveraging multifaceted solutions that enforce real-time access control, detect misconfigurations through cloud security posture management, encrypt sensitive data at rest, and manage the sharing of data with external parties, and prevent data leakage, organisations can ensure the privacy and security of customer information.  Read Less
November 10, 2020
Boris Cipot
Senior Sales Engineer
Synopsys
This is not the first, nor the last time, that we will see an organisation unintentionally leak data on its users. As can be expected, there will likely be legal consequences that will cost the organisation a substantial sum. Nevertheless, it will be the users who will face the most damaging repercussions. They will no doubt see attackers attempt to infiltrate other accounts where passwords may have been reused, as well as phishing attacks sent to exposed email addresses. Financial data such.....Read More
This is not the first, nor the last time, that we will see an organisation unintentionally leak data on its users. As can be expected, there will likely be legal consequences that will cost the organisation a substantial sum. Nevertheless, it will be the users who will face the most damaging repercussions. They will no doubt see attackers attempt to infiltrate other accounts where passwords may have been reused, as well as phishing attacks sent to exposed email addresses. Financial data such as credit card numbers may be employed to conduct unauthorised purchases or for other authorisations. Identity theft is another scenario in which such exposed data may abused as well. We can't be certain that bad actors have not already gained access to this data, but there are a few things that potentially affected users can do to proactively lower their risk and in turn, improve their security moving forward. First, users should change their password on the site as well as on any other online service where it may have been reused. It is worth employing a password manager if you are overwhelmed with the number of services used and the regulatory demands for strong passwords. Second, be wary of any email requesting personal data such as passwords, usernames, social security numbers or financial data. Service providers would never request such data over email or even on the phone. If ever in doubt, call your service provider or visit their web page directly and login through the site. It is critical that you do not open attachments or click on links in emails. Finally, talk with your bank proactively - let them know that you have used a service that has leaked your data and check your bank statements regularly for suspicious activity. As for the issue of S3 buckets, I would say the following. Cloud technology is helping organisations in many ways to be better, faster, and more advanced in their operations. However, processes to maintain this technology need to also be regarded as a priority. Introducing technologies in production needs to be paired with thorough checks to ensure that the data is properly safeguarded. While these checks may initially be time-consuming, they are necessary to prevent issues later down the line.  Read Less
November 10, 2020
Chloé Messdaghi
VP of Strategy
Point3 Security
When it comes to reservations sites like Booking.com and Hotels.com, they all need to be better secured. The consumers that use those sites release so much personal information all at once – CC information, passport numbers, billing info, addresses, full names, additional guest names, etc. These sites are already known to not necessarily take proper care of people’s data and, in addition, they now have this third-party situation, which is Prestige Software. This breach pulled data all the.....Read More
When it comes to reservations sites like Booking.com and Hotels.com, they all need to be better secured. The consumers that use those sites release so much personal information all at once – CC information, passport numbers, billing info, addresses, full names, additional guest names, etc. These sites are already known to not necessarily take proper care of people’s data and, in addition, they now have this third-party situation, which is Prestige Software. This breach pulled data all the way back to 2013, all really sensitive data, extremely sensitive data – full names, passports, phones, IDs, CC details, travel dates, etc. Many hotels don’t have IT security personnel on their team, which would be the team that would be tasked with determining the safety of any third-party platform. Keeping your own ecosystem safe is one thing – investigating the third parties that your organization works with is a whole other necessary task. This is a reminder for all the hotel companies out there to put security first. They all carry huge amounts of very sensitive data, and breaches like this one put the hotels themselves at risk – their reputations with their customers. And at the end of the day, the security and privacy of customers should always be top priority.  Read Less
November 10, 2020
Warren Poschman
Senior Solutions Architect
comforte AG
The Prestige breach is the latest in a long trail of data leaked due to misconfigured cloud resources and S3 buckets in particular. Historical log data was dumped to the S3 bucket and contained large amounts of PII and PCI related data. While this could have been mitigated by simply accepting the default S3 permissions to deny access, the root of the issue is that hotels and other organizations are playing with live data when they should instead be leveraging a data-centric security model to.....Read More
The Prestige breach is the latest in a long trail of data leaked due to misconfigured cloud resources and S3 buckets in particular. Historical log data was dumped to the S3 bucket and contained large amounts of PII and PCI related data. While this could have been mitigated by simply accepting the default S3 permissions to deny access, the root of the issue is that hotels and other organizations are playing with live data when they should instead be leveraging a data-centric security model to allow data to be protected as it is acquired and traverses through the organization regardless of where it is stored or accessed. Data-centric protection using technologies like tokenization allows the organization to use the protected data for day-to-day operations, analytics and data sharing – in this case it could have meant avoiding a breach entirely because the S3 bucket would have only contained de-identified, secure data.  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.